Authenticated Command Injection in D-Link DIR‑650IN Router Exposes Network Devices to Full Compromise
What Happened — An authenticated command‑injection flaw was discovered in the Diagnostic (Ping/Traceroute) feature of D‑Link’s DIR‑650IN wireless router. By injecting a pipe (|) and OS commands into the sysHost parameter, a low‑privilege user can execute arbitrary commands, read /etc/passwd and gain full control of the device.
Why It Matters for TPRM —
- Router compromise can provide attackers a foothold inside a customer’s LAN, enabling lateral movement.
- Credential‑based exploitation bypasses many perimeter defenses that assume only privileged accounts can affect firmware.
- Unpatched routers in a supply‑chain can become pivot points for broader enterprise breaches.
Who Is Affected — Telecommunications, Managed Service Providers, any organization that deploys D‑Link DIR‑650IN (or similar consumer‑grade routers) in office or branch locations.
Recommended Actions —
- Verify whether the DIR‑650IN model or firmware V1.04 is in use across your vendor ecosystem.
- Upgrade to the latest firmware that removes the vulnerable diagnostic endpoint, or replace the device with a supported, securely‑managed model.
- Enforce least‑privilege access to router web interfaces; consider MFA or network‑segmentation for management traffic.
Technical Notes — The flaw resides in the sysHost parameter of /boafrm/formSysCmd. No CVE has been assigned yet. Exploitation requires valid credentials (often default admin/password) and results in OS‑level command execution, allowing read of sensitive files such as /etc/passwd. Source: Exploit‑DB 52508